首页 » 云自动化 » k8s » 正文

Kubernetes 1.8.6 集群部署–所遇到的问题(八)

查看dashboard界面

访问以下链接(1.8.3访问 https://masterip:6443/ui 无法访问):

https://MasterIP:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

当然这个链接是怎么来的?

[root@master1 kubernetes]# kubectl cluster-info
Kubernetes master is running at https://192.168.161.161:6443
Heapster is running at https://192.168.161.161:6443/api/v1/namespaces/kube-system/services/heapster/proxy
KubeDNS is running at https://192.168.161.161:6443/api/v1/namespaces/kube-system/services/kube-dns/proxy
kubernetes-dashboard is running at https://192.168.161.161:6443/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy
monitoring-grafana is running at https://192.168.161.161:6443/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
monitoring-influxdb is running at https://192.168.161.161:6443/api/v1/namespaces/kube-system/services/monitoring-influxdb/proxy

出现的问题

首次安装,如果没有做apiserver参数配置,则可能会出现一些问题。下面就看下常见问题的解决方法

system:anonymous问题

访问dashboard网页时,可能出现下面这种报错:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services \"https:kubernetes-dashboard:\" is forbidden: User \"system:anonymous\" cannot get services/proxy in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "name": "https:kubernetes-dashboard:",
    "kind": "services"
  },
  "code": 403
}

Kubernetes API Server新增了 –anonymous-auth 选项,允许匿名请求访问secure port。没有被其他authentication方法拒绝的请求即Anonymous requests, 这样的匿名请求的usernamesystem:anonymous, 归属的组为system:unauthenticated。并且该选线是默认的。这样一来,当采用chrome浏览器访问dashboard UI时很可能无法弹出用户名、密码输入对话框,导致后续authorization失败。为了保证用户名、密码输入对话框的弹出,需要将 –anonymous-auth 设置为 false

解决方法:

在api-server配置文件中添加 –anonymous-auth=false

[root@master1 dashboard]# vim /etc/systemd/system/kube-apiserver.service

[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/GoogleCloudPlatform/kubernetes
After=network.target
After=etcd.service

[Service]
ExecStart=/usr/local/bin/kube-apiserver \
  --logtostderr=true \
  --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota,NodeRestriction \
  --advertise-address=192.168.161.161 \
  --bind-address=192.168.161.161 \
  --insecure-bind-address=127.0.0.1 \
  --authorization-mode=Node,RBAC \
  --anonymous-auth=false \
  --basic-auth-file=/etc/kubernetes/basic_auth_file \
  --runtime-config=rbac.authorization.k8s.io/v1alpha1 \
  --kubelet-https=true \
  --enable-bootstrap-token-auth \
  --token-auth-file=/etc/kubernetes/token.csv \
  --service-cluster-ip-range=10.254.0.0/16 \
  --service-node-port-range=8400-10000 \
  --tls-cert-file=/etc/kubernetes/ssl/kubernetes.pem \
  --tls-private-key-file=/etc/kubernetes/ssl/kubernetes-key.pem \
  --client-ca-file=/etc/kubernetes/ssl/ca.pem \
  --service-account-key-file=/etc/kubernetes/ssl/ca-key.pem \
  --etcd-cafile=/etc/kubernetes/ssl/ca.pem \
  --etcd-certfile=/etc/kubernetes/ssl/kubernetes.pem \
  --etcd-keyfile=/etc/kubernetes/ssl/kubernetes-key.pem \
  --etcd-servers=https://192.168.161.161:2379,https://192.168.161.162:2379,https://192.168.161.163:2379 \
  --enable-swagger-ui=true \
  --allow-privileged=true \
  --apiserver-count=3 \
  --audit-log-maxage=30 \
  --audit-log-maxbackup=3 \
  --audit-log-maxsize=100 \
  --audit-log-path=/var/lib/audit.log \
  --event-ttl=1h \
  --v=2
Restart=on-failure
RestartSec=5
Type=notify
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

Unauthorized问题

解决了上面那个问题之后,再度访问dashboard页面,发现还是有问题,出现下面这个问题:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}

解决方法:

新建 /etc/kubernetes/basic_auth_file 文件,并在其中添加:

admin123,admin,1002

文件内容格式:password,username,uid

然后在api-server配置文件(即上面的配置文件)中添加:

--basic-auth-file=/etc/kubernetes/basic_auth_file \

保存重启kube-apiserver:

systemctl daemon-reload
systemctl restart kube-apiserver
systemctl status kube-apiserver

最后在kubernetes上执行下面这条命令:

kubectl create clusterrolebinding login-dashboard-admin --clusterrole=cluster-admin --user=admin

将访问账号名admin与dashboard.yaml文件中指定的cluster-admin关联,获得访问权限。

再次刷新访问:

输入 admin 和密码 admin123 即可正常访问:

当然 其实访问 dashboard 有三种方式:

 kubernetes-dashboard 服务暴露了 NodePort,可以使用 http://NodeIP:nodePort 地址访问 dashboard

 通过 kube-apiserver 访问 dashboard

 通过 kubectl proxy 访问 dashboard
赞 (6)

发表评论